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We consider a family of quantum communication protocols 
involving A*' partners. We demonstrate the existence of a 
link between the security of these protocols against individual 
attacks by the eavesdropper, and the violation of some Bell's 
inequalities, generalizing the link that was noticed some years 
ago for two-partners quantum cryptography. The arguments 
are independent of the local hidden variable debate. 



Historically, entanglement was essentially a source of 
controversy on the foundations of quantum mechanics, 
as illustrated by the lively debate about the local hidden 
variable program and Bell's inequality Today, it is 
widely recognized that entanglement is a resource from 
which tasks can be achieved that are classically impossi- 
ble, as illustrated by many quantum information proto- 
cols 1^. Among these protocols, quantum cryptography 

— better described as quantum key distribution (QKD) 

— is the one that has almost reached the level of appli- 
cation fn this work, we study the link between the 
security of quantum communication protocols and the vi- 
olation of Bell's inequalities. Previous works [^jj^ pointed 
out such a link in QKD between two partners Alice and 
Bob. We begin by reviewing these results, that will help 
to clarify the initial intuition and the motivation for the 
present work. 

Consider the following QKD setup Alice prepares 
an EPR state, say |$+) = 75 (1 00) + IH))- where we 
write |0) and |1) for the eigenstates of Gz- She keeps one 
qubit and sends the other one to Bob. Alice and Bob 
measure either Ux or ay, then publicly communicate the 
choice of the measurement basis. Whenever they have 
used the same basis, their results are perfectly correlated, 
and they can establish a key. This protocol is equivalent 
to the BB84 protocol |Q. Its distinguishing feature is 
the fact that the bits are encoded into orthogonal states 
belonging to two conjugated bases. 

To study the security of the protocol, consider an 
eavesdropper (Eve) that acts on the quantum channel 
linking Alice to Bob, trying to get some information but 
inevitably introducing perturbations. To establish a key 
in spite of these perturbations, A and B can run a one- 
way protocol called error correction and privacy amplifi- 
cation if and only if Q 

I{A : B) > min[/(A : E),I{B : E)] (1) 
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where I {A : B) = H{A) + H{B) - H{AB), H the Shan- 
non entropy, is called mutual information. In the follow- 
ing, we shall consider (|l|) as the condition for security, 
although it is known that a secret key can be established 
under less restrictive conditions by using two-way com- 
munication 

In our context. Eve's best attack is defined as the at- 
tack that maximizes I {A : E) for a fixed I{A : B). The 
best attack is not known in all generality [|o|; but it 
is, if we suppose that Eve performs an individual attack, 
that is, that she makes only measurements on individual 
qubits 1^. Moreover, it is also known that Eve can per- 
form the best individual attack by using a single qubit 
as resource jll|] , by implementing the following unitary 
transformation affecting her and Bob's qubits: 

UBEm - ioo) 

Ube\IQ) = cos (/.| 10) + sin 0101) ' ^ > 

Here, |00) etc. are shorthand for |0)^ ® |0)^ etc. (by 
convention, we supposed that Eve prepares her qubits in 
the state |0)), and 4> G [0, ^] characterizes the strength 
of Eve's attack. Thus, after eavesdropping the system 
of three qubits is in the state abe) = "^f ® 
Ube\00) + a'»Ube\1'^))- Note that the roles of B and 
E are symmetric under the exchange of (p with ^ ~ (j). 
The mutual information between any two partners can 
be calculated explicitly (l2j : condition (|l|) for security is 
fulfilled if and only if < | . 

As we said above, there is a remarkable link between 
the security of the BB84 protocol against individual at- 
tacks and the violation of Bell's inequalities. For any set 
of four unit vectors a — {ai, a 'j^, (12, a 2}) lot's define the 
two-qubit Bell operator 

-82(0) = {aa^ + Cr„/ ) ® (Ja^ + {(Ta^ - fJ^'J «) (Ta^ (3) 

with (Tq = a ■ (7. The CHSH inequality reads 
S2 — maxa Tr(p _B2(a)) < 2, while the maximal value 
allowed by QM is ^2 = 2\/2 ||. The GHSH inequality 
is optimal, in the sense it is violated if and only if the 
statistics of the results cannot be accounted for by local 
hidden variables (Ihv) |l5|. The Horodecki criterion |l^ ] 
allows an explicit calculation of S for each two-qubit state 
obtained from \'^abe) by tracing out the third qubit. We 
find that the pair B-E never violates the inequality, while 

Sab = 2%/2 cos , Sae = 2^2 sin . (4) 

Then obviously Sab > 2 if and only if Sae < 2: the 
inequality is violated by the pair A-B if and only if it 
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is not violated by the pair A-E. In conclusion, for the 
QKD protocol that we consider, (|l|) holds if and only if 
Sab>2> Sae (hg. §■ 
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FIG. 1. The link between violation of Bell's inequality and 
the security condition (^), in the case of the two-partners 
QKD with best individual attack by Eve. 



The previous paragraphs summarize the present 
knowledge about the link between security and Bell's in- 
equalities. In the following, we shall generalize this link 
for QKD protocols involving an arbitrary number of part- 
ners. But before turning to this, let's address the follow- 
ing purely algebraic problem, which is naturally related 
to this discussion. Consider three partners A,B and C 
(here there is no more reason to single out an Eve), each 
possessing a qubit. Are there pure or mixed states of the 
three qubit system such that more than one pair can vi- 
olate the CHSH inequality? The answer to this question 
is negative: 

Theorem 1: Let p be a three- qubit state, and pab, Pbc 
and pac be the two-qubit states obtained from p by trac- 
ing out one of the qubits. If one can find four unit vectors 
a,a',b,b' such that Tr{B2 pab) > 2, then for all choice 
of four unit vectors Tr{B2 Pbc) < 2 and Tr{B2 PAc) < 2. 
We present a proof inspired by Cirel'son's proof that the 
maximal violation of CHSH allowed by quantum mechan- 
ics is 2 a/2 IQ. Let's define the operator 

V = BABia, a', b, b') + Bac{A, A', c, c') . (5) 

where Bab = B2 ® t^c, and similarly for Bag- Using 
CaCa' = (a • a')l + ^CaAa', lengthy but standard algebra 

leads to 21^ = /I, where / is a function of the 

unit vectors that satisfies < / < 4 This entails 

\{V)p\ < 4, that is maxKB^s + Bac)p\ < 4, where the 
maximum is taken over the eight unit vectors that de- 
fine V. But due to the symmetry Bab{S, a', —6, —b') = 
— BAB{a, a', 6, 6'), it holds that ma.x\{BAB + Bac)p\ = 
max + max |(i3Ac)p| = Sab + Sac- In conclu- 

sion. Sab + Sac < 4 for all p and for all choice of unit 
vectors. This proves the theorem. 



Two remarks: (i) It is easy to imagine experimental 
protocols in which, for suitable states, both pairs A-B 
and A-C end up with a violation of the inequality: e.g., 
a pair can analyze their data conditioning on the results 
of the third partner, if they know this result through 
classical communication; or, a pair may apply a filtering 
procedure . (ii) There are states depending on one or 
more parameters such that one can "shift" the violation 
from one pair to another by varying the parameters: the 
state introduced above in the context of QKD, in partic- 
ular, is such that Sab{<I>) > 2 if and only if S'ac(0) < 2 

We explore now the generalization of the link between 
Bell's inequalities and security to QKD protocols involv- 
ing more than two partners. The protocols that we 
consider are characterized by the fact that the sender 
distributes the key between several partners, in such a 
way that all partners must collaborate to retrieve the 
key. We call these protocols N-partners quantum se- 
cret sharing (N-QSS) For simplicity, we discuss 
in detail the protocol 3-QSS involving three partners, 
and discuss later how this generalizes to an arbitrary 
number of partners. Without eavesdropping, 3-QSS 
works as follows. Alice prepares the 3-qubit GHZ state 
-^(|000) + I 111)); she keeps one qubit and sends the 
others to her two partners Bob and Charlie. The three 
of them measure ax or CTj,; the GHZ state is such that 
{ax ®ax® ax) = -~{ax ®ay® ay) =-{ay®ax® ay) = 
— {ay ® ay ® ax) — 1, and the other expectation values 
vanish. Then A, B and C publicly announce the bases 
they used, and keep only those measurements when all 
measured ax, or when one measured ax and the oth- 
ers ay. It is easy to see that each partner alone has 
no information on the key of any other partner, but if 
two partners collaborate then they have all the informa- 
tion about the key of the third partner. Therefore the 
meaningful information measure is the information that 
B and C together have on A's sequence of bits, that is 
I{A : BC) = H{A) - H{A\BC) = 1 - H{A\BC). In the 
absence of eavesdropping, H{A\BC) ~ 0. 

Two eavesdropping scenarios can be imagined: 
Scenario 1: An external Eve tries to eavesdrop on both 
channels A-B and A-C. We still restrict to attacks that 
are "individual" in the sense that each pair of qubits is 
attacked independently from all the other pairs; but we 
allow coherent measurements on the two qubits of each 
pair. 

Scenario 2: Charlie is dishonest: he would like to retrieve 
the key alone, against the will of Alice who would force 
him and Bob to collaborate. Then C collaborates with 
Eve, who tries to eavesdrop on the line A-B in order to 
get as much as possible information about Bob's qubit. 

The security issue on these protocols is analogous to 
the two partners case. We sketch the argument, see 
for all details. The key of the demonstration is the fact 
that the time ordering of the measurements is not im- 
portant: if (say) the time of Alice's measurement would 
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change something in the local statistics of her partners or 
in their correlations, the protocol would allow signaling. 
Therefore, we can discuss security on completely equiv- 
alent protocols in which some partners measure their 
qubits first, this measurement acting as a preparation 
on the state of the other qubits. 

Take Scenario 1 first: When Alice measures her qubit, 
she prepares one of the four states --i|(|00) ± 

^(|00) ±i|ll)). Therefore, one can see this protocol as a 
two-partners communication, Alice sending information 
to Bob-Charlie. Since we want to maximize I{A : E) 
for a fixed I {A : BC), Eve's best individual attack can 
be copied directly from (||), replacing |0)^ and by 
|00)^P and 111)^^ respectively: 

C/scbIOOO) 1 000) 
C/sc_e|110> = cos0|llO) + sin0|OOl) ' 



(6) 



In particular. Eve can still perform the best individual at- 
tack by using a single qubit. This is surprisingly simple, 
because a priori Eve needs an increasing number of qubits 
(2^") to perform the most general attack on n qubits. 
However, even if Eve does not need a larger probe, she 
must be able to implement a coherent operation on a big- 
ger number of qubits. Under this respect, eavesdropping 
on several channels is more complicated than on a single 
channel. 

Scenario 2 can be discussed in the same way: When A 
and C measure their qubit, we have a single qubit flying 
to B, encoded as in the BB84 protocol, and on which 
E eavesdrops. We just have to be careful because the 
direct analogy with the two-partners case gives us the 
optimum of I {A : E) for a given value of I [AC : B), 
not of I {A : BC). However, by the very definition of 
the protocol, B and C are not correlated, whence I{AC : 
B) = I {A : BC). Therefore, in Scenario 2 Eve's best 
individual attack on Bob's qubit is (||). 

The same arguments can be worked out for the pro- 
tocol N-QSS involving N partners. The general eaves- 
dropping scenario is shown in fig. ^j: n < N — 1 partners 
(Charlies, C_) are dishonest, and want to retrieve the key 
without the help of the N — 1 — n = h other partners 
(Bobs, B_). Then again Eve can perform the best indi- 
vidual attack using a single qubit, which must interact 
coherently with all the h qubits that are to be spied. The 
state of the iV -I- 1 qubits after eavesdropping is 
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= ^(|0^-")|0")|0) +cos</.|l^-'')|l'')|0) 



' sin (ill 
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where the first ket are A and the dishonest C_, the second 
ket are the honest B that are spied, the third ket is Eve. 
Let la = I{A : BC ) the information between the autho- 
rized partners, /„ = I{A : C_E) the information between 
the unauthorized partners. In analogy with the case of 
two partners QKD, it can be shown that la > lu if and 
only if (j) < J [|l2| . Now we can tackle the link with Bell's 
inequalities. 




FIG. 2. The general eavesdropping scenario on N-QSS, 
with h honest Bobs and n = N — h — 1 dishonest Charlies 
collaborating with Eve. 



For our study, we consider the family of inequali- 
ties known as Mermin-Klyshko (MK) inequalities |^,^ . 
This choice will be discussed below. The Bell operator 
for M qubits is defined recursively as 
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where B'^ is obtained from _B„ by exchanging all the Ofc 
and a'j.. The maximal value allowed by QM is Sm — 
2^^, achieved for M-qubit GHZ states. An important 
property of these inequalities is the following: the bound 
Sm < 2~2~ ^ with m < M, can be violated only by states 
in which more than m qubits are entangled [^^. We 
shall say that a M-qubit state violates the inequality if 
for this state Sm > 2~, that is, if the violation can be 
accounted for only by having Af -qubit entanglement. 

Having settled these notions, we can prove 
Theorem 2: The state {"^Nh) given in ^) is such that 
the authorized partners violate the N -qubit MK inequali- 
tiy (in the sense just described) if and only if (f) < j; and 
in this range, the unauthorized partners do not violate the 
{N — h + l)-qubit MK inequality. At (f> — j, both sets of 
partners are exactly at the border of the violation; and for 
(j) > J the roles of the authorized and the unauthorized 
partners is reversed. 

The proof (see [^| for all details) is a direct optimiza- 
tion of expressions hke (4'Ar;i|i3jv(a) Ij^'jv/j) over all 
sets of 2A'^ unit vectors a. This optimization is not easy. 
We could perform it analytically when N and h have dif- 
ferent parities (in particular, this is the case if /i = A'^ — 1, 
that is when all partners are honest and Eve is external) ; 
and some cases where N and h have the same parity were 
checked on the computer. Therefore, to within the lim- 
itations of this proof, we can safely say that: for the N- 
QSS protocols, and whatever the eavesdropping scenario 
in which Eve uses the best individual attack, the security 
condition la > In is satisfied if and only if the authorized 
partners violate the MK inequality, and in this case the 
unauthorized partners do not violate the MK inequality. 
We recall that "violation" here does not merely mean 
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Sm > 2, the limit imposed by Ihv, but Sm > 2"2", i.e. 
that all the qubits are really strongly entangled. 

One might ask if a purely algebraic result like Theorem 
1 holds for the violation of any M-qubit MK inequality. 
The answer is negative. As a counterexample, the four- 
qubit state cosa(|0011) + |1100) +i|0101) + i|1010))/2 + 
sina(z|1001) + |1111))/V2 gives Sabc = Sbcd = 3 > 
2V2 for a « 0.955. However, we have numerical evidence 
that no such states can be produced by Eve. Our current 
knowledge on this question can be found in [Q. In any 
case, the fact that a general algebraic theorem does not 
hold in all cases strengthens the link between security and 
violation of a MK inequality: even though in the Hilbert 
space we can find states that violate two inequalities for 
some shared qubits, these states do not appear in the 
individual eavesdropping on a N-QSS protocol. 

This leads us naturally to the question of the choice 
of the optimal Bell's inequalities. Our choice of the MK 
inequalities is natural in the following sense: we are con- 
sidering QKD protocols in which each partner measures 
two conjugated observables; therefore, we choose also in- 
equalities with two measurements per qubit. Werner and 
Wolf have recently classified all the inequalities of this 
class, and have demonstrated that the MK inequalities 
are those that give the highest violation, for GHZ states 
p^ . It is not impossible that other inequalities may be 
better suited for the study of security in other protocols 
with more than two settings per qubit. For instance, 
in the six-state QKD between two partners it is known 
that Sab > 2 > Sae is a sufhcient but not a necessary 
condition for security |^,^ . 

Of course, we share the open questions of the whole 
field of quantum cryptography: which is Eve's best attack 
in all generality? Or, does something change if the part- 
ners share higher dimensional systems instead of qubits? 
Note also that no satisfactory Bell's inequality has been 
found yet for higher dimensional systems. Under these 
respects, the study of the link between Bell's inequalities 
and security seems to be a promising field of research, 
at the border between quantum information and founda- 
tions of quantum mechanics. 

We conclude by stressing that Bell's inequalities ap- 
pear here in a context that is disconnected (at least at 
first sight) from the studies on Ihv: we have only dis- 
cussed entanglement — to be precise, an entanglement 
that is "useful" for some quantum communication pro- 
tocols. In other words, Bell's inequalities seem to have a 
role to play in "present-day" quantum information pro- 
cessing, and not only in the "old" debate on Ihv. 
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